Cyber-Incident Risk in Canada and the Role of Insurance

Transcription

1 Cyber-Incident Risk in Canada and the Role of Insurance APRIL 2004 ICLR Research Paper Series - No. 38 ISBN:

2 Authors: Paul Kovacs Executive Director Institute for Catastrophic Loss Reduction Adjunct Research Professor, Economics The University of Western Ontario Melissa Markham Co-ordinator, Urban Issues Institute for Catastrophic Loss Reduction Robert Sweeting Manager, Research Institute for Catastrophic Loss Reduction The Institute for Catastrophic Loss Reduction, established in 1998, is a world-class centre for multi-disciplinary disaster prevention research and communications. ICLR is an independent, not-for-profit research institute founded by the insurance industry and affiliated with the University of Western Ontario. ICLR staff and research associates are recognized internationally for their expertise in wind and seismic engineering, atmospheric science, risk perception, hydrology, economics, geography, health sciences, and public policy, among other disciplines. ICLR s mission is to reduce the loss of life and property caused by severe weather and earthquakes through the identification and support of sustained actions that improve society s capacity to adapt to, anticipate, mitigate, withstand, and recover from natural disasters. ICLR s mandate is to confront the alarming increase in disaster losses caused by natural disasters and to work to reduce disaster deaths, injuries, and property damage. ICLR is committed to the development and communication of disaster prevention knowledge. ICLR is a leader in disaster loss prevention research and the development of loss prevention strategies with respect to the growing frequency and severity of extreme weather events. Multidisciplinary research is central to ICLR s work in helping communities to become more resilient and better able to prevent natural hazards from becoming disasters.

3 TABLE OF CONTENTS Executive Summary...i 1.0 Introduction What is Cyber-Incident Risk and How Much is it Costing Businesses? Vulnerability to Cyber-Incident Risk The Role of Insurance Loss Prevention and Mitigation Conclusion References/Bibliography...25 Appendix A Interviewees... A - 1 Appendix B Insurer Interview Questions... B - 1 Appendix C E-Business Solution Provider Interview Questions... C - 1

4 EXECUTIVE SUMMARY 1.0 Introduction In 2003, the Institute for Catastrophic Loss Reduction began a study to research the insurance industry and its role in cyber-risk transfer and loss prevention. The work was carried out in two Phases: Phase I Case Study Review. A literature review and data collection exercise was undertaken to examine cyber-incident risk in Canada and to describe the insurance environment of, and coverage for, these threats. Phase II Consultation with Industry Stakeholders. A cross-section of insurance and reinsurance companies, and e-business solution providers were selected for consultation and a series of one-on-one interviews were concluded with senior officials from these firms. This Final Report brings together the salient features of the Phase I and Phase II work in a single document. In broad terms, this Final Report: defines, details, and estimates cyber-incident risk costs and losses in Canada; discusses business vulnerability to cyber-incident risk and provides references to the global experience with the cyber-incident threat; examines the role of the insurance industry (including basic principles of insurance in providing standard policy coverage) in providing protection against cyber-incident risk; and discusses risk mitigation techniques to reduce the risk of cyber-incident events. The paper describes the costs and vulnerabilities associated with cyber-incident risk and the ability of insurance to provide coverage for these risks. 2.0 What is Cyber-Incident Risk and How Much is it Costing Businesses? This paper deals solely with risks associated with computer technology and the Internet, which includes hacking or unauthorized use of computer systems, denial of service issues, theft of proprietary information, and the distribution of viruses. It is not the intent of this paper to look at specific crimes conducted over the Internet (e.g., the misuse of telecom information or money laundering schemes). In 2003, the CSI and the FBI conducted a Computer Crime and Security Survey. Survey respondents included computer security practitioners, government agencies, financial and April 2004 Institute for Catastrophic Loss Reduction Page i

5 medical institutions, and universities throughout the United States. According to the survey, 92 percent of respondents reported attacks on their computer systems during The annual cost of major virus attack losses has increased sharply since the mid-1990s. The financial impact of viruses worldwide was estimated to be almost $18 billion in 2003 (Computer Economics, 2004). Based on global losses of this magnitude, the Institute for Catastrophic Loss Reduction estimates that computer viruses cost Canada between $1 billion and $2 billion in Ernst & Young s 2003 Global Information Security Survey reports that hackers, worms, and other high-tech interference caused $11.1 billion in damages in 2002, more than a twenty-fold increase from 1995 (Ernst & Young, 2003). 3.0 Vulnerability to Cyber-Incident Risk There are a number of significant cyber-incident risks that affect companies. A recent survey showed that three categories of cyber-incident risk virus, denial of service, and theft of proprietary information accounted for 81 percent of cyber-incident losses in the United States in 2002 (Computer Security Institute, 2003). When survey participants were asked whether they had insurance coverage for these types of losses, 33 percent said they believed that cyber-incident risks were covered by their general policies, while 34 percent said they did not have insurance (Computer Security Institute, 2003). 4.0 The Role of Insurance Insurance companies provide coverage for many types of risk. Many corporations use insurance as a means to transfer risk. Insurance transfers individual risk to a pooled group, where the risk is absorbed by a larger market. A. Standard Insurance Coverage The standard market product for protecting businesses against the risk of accidents is Commercial General Liability (CGL) insurance. When this type of coverage was created, the Internet did not exist and other cyber-incident risks were not widespread (the concept of cyber-incident risk was relatively unknown and the majority of businesses dealt with tangible assets); consequently, their associated risk exposures were not addressed in policies. Current CGL policies make it clear, with specific exclusions, that they do not cover intangible property such as electronic data and business interruption. B. Cyber Insurance Considering the barriers to coverage of cyber-incident risks by standard insurance policies, the market has been left to individual insurance companies to develop specialized cyber insurance products. Although some overlap does occur between cyber and standard insurance, damages incurred by denial of service, hacker attacks and cyberincident risks are not typically covered in standard forms of insurance. The courts April 2004 Institute for Catastrophic Loss Reduction Page ii

6 consistently uphold that data are not property and do not meet the direct physical loss requirement set out in standard insurance policies (IBC, 2003). Because companies frequently do not report cyber-incident attacks, there are difficulties associated with historical data. Companies often do not report incidents when they occur because they believe consumer confidence will decrease with each cyber-incident occurrence. Consequently, the confidential nature of cyber incidents driven by corporate fears of losing existing and potential customers if these incidents were made public makes it difficult for insurance companies to collect data to project future losses. In the case of cyber-incident coverage, there are no historical records so insurers are setting prices without being able to completely quantify risks. C. Cyber Insurance Pricing While insurance companies have tried to quantify cyber-incident risk, it remains to be seen whether current premiums will prove to be adequate. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $14 million in annual revenue) to several hundred thousand dollars for major corporations seeking comprehensive coverage. Cyber-related premiums range from $7,000 to $85,000 per $1.5 million worth of coverage, depending on the size and exposure of each company to online or electronic risk (McAfee Security, 2003). In 2003, three industry groups accounted for two-thirds of all cyber insurance policies purchased in the United States: the technology and telecommunications industry accounted for 38 percent, the financial services industry accounted for 18 percent, and the retail and wholesale industry accounted for 11 percent (Marsh Inc., 2003). Brokers estimated that, in 2002, businesses purchased only $150 million to $300 million of this type of insurance, despite estimates of potential cyber-related losses in the billions of dollars (Kelly, 2003). As companies become more informed about cyber insurance, the market has the potential to become one of the biggest growth areas for insurers over the next few years one that could develop into a $3.6 billion U.S. market by 2005 (Insurance Information Institute, 2003). D. Types of Cyber Insurance Coverage The growth of computer and Internet technology has led to an increased demand for insurance products that provide for various cyber-incident risks. Cyber-incident coverage is available currently as a specific stand-alone policy, which is tailored to meet the needs of each individual company. There are several insurance companies that underwrite the risk of cyber activity, although each policy differs regarding the level of risk exposure. During the course of this paper s consultations, American International Group (AIG), Chubb, Marsh, St. Paul Insurance Company, and Zurich North America were identified as insurance companies having some type of coverage available for cyber-incident risks. April 2004 Institute for Catastrophic Loss Reduction Page iii

7 During the stakeholder interviews, the cyber insurance coverages discussed most frequently were loss/corruption of data, business interruption, liability, cyber extortion, and rewards. E. Current Issues with Cyber Insurance When asked why businesses are not investing in cyber-incident insurance, the majority of our insurance, reinsurance, and e-business solution industry stakeholder interviewees stated that most of their clients are too small to afford the cost of insuring for this risk. The majority of e-business solution interviewees stated that their main clientele was comprised exclusively of Fortune 500 and large multi-national organizations. Companies have begun to look inward to self-insure their organizations because of rising premiums associated with cyber insurance. F. Use of Risk Management E-business solution interviewees noted that their companies provide services to firms at risk for business continuity providing support such as data recovery, and mitigating software and hardware products that secure the system prior to an attack. E-business solution interviewees observed that all of the businesses that employ their services have an existing structure in place (such as a risk manager) to identify the need for these services. The use of risk managers is low in small- to mid-size companies, while larger multinational companies are better able to support a risk management staff. While large corporations, such as Fortune 500 companies, are able to identify and manage their cyber-incident risks through the use of mitigation and loss prevention methods, small- to mid-sized companies have fewer remedies available. These companies typically manage their risks through the purchase of software and hardware products to secure their systems against malicious attacks, viruses, and theft of proprietary data. 5.0 Loss Prevention and Mitigation Growing dependence on information networks and changes in technology make it critical for businesses to adopt effective techniques to mitigate information security risks and to prevent losses. Information that flows freely over networks can be intercepted by outside sources, which make businesses vulnerable to copyright and other violations. The insurance industry believes that mitigation techniques (for example, risk avoidance, deterrence, prevention, detection, recovery, and transfer) are essential toward improving the insurability of businesses and government agencies against cyber-incident risk (Gordon, et. al., 2003). By writing policies to insure against cyber-incidents, insurers provide risk transfer for cyber exposure, including incentives to employ best practices and improved mitigation strategies for managing these risks. April 2004 Institute for Catastrophic Loss Reduction Page iv

8 Gordon, Loeb and Sohail describe a cyber-incident risk management framework for information security that reduces and maintains risk at an appropriate level: 1. Assess risks. This requires companies to determine their own risk exposure and true costs. They must determine what their current level of insurance covers, including existing computer systems and the level of maintenance required. 2. Reduce risks. There are several techniques that can be employed to reduce risk, such as employee education, upgrades to anti-virus software and operating systems, increased security protocol, improvements in monitoring systems to detect intrusions, and the use of firewalls, encryption, and access control. 3. Maintain an acceptable level of risk. This can be achieved by determining the type of insurance policy required for each particular company, including the methods employed to reduce potential losses and increase security measures. 6.0 Conclusion This paper has described the costs and vulnerabilities associated with, and the ability of insurance to provide coverage for, cyber-incident risk, including hacking or unauthorized use of computer systems, denial of service, theft of proprietary information, and virus distribution. The research has indicated clearly that: Cyber-incidents are pervasive, costly, and escalating. Cyber-incidents have become quite extensive in the business community, with roughly 90 percent of U.S. companies currently reporting unauthorized system access, and cyber-incident losses shared roughly one-third each between denial of service, theft of private information, and virus distribution and other attacks. Considering virus attacks alone, some measures of the annual global financial impact of such strikes indicate a twenty-fold to forty-fold increase over the period from 1995 to The insurance industry has a meaningful role to play in cyber-risk transfer and loss prevention. While standard insurance policies do not cover cyber-incident risk exposure, the insurance industry has designed a cyber-incident insurance product that responds to consumer needs. Recent (2002) estimates place business purchases of cyber-incident insurance coverage at $150 million to $300 million with the technology and telecommunications industry being the largest purchaser of cyber insurance policies in the U.S. By writing cyber insurance policies, insurers provide risk transfer for cyber exposure, including incentives to employ best practices and improved mitigation strategies for managing these risks. Risk reduction and mitigation strategies play a critical function in securing systems. Cyber-related premiums range from $7,000 to $85,000 per $1.5 million worth of coverage, depending on the size and exposure of each company to online or electronic risk. Consequently, many companies look inward and self-insure their organizations. In this regard, risk reduction and mitigation strategies (including the April 2004 Institute for Catastrophic Loss Reduction Page v

9 purchase of software and hardware products, such as upgrades to anti-virus software and operating systems, increased security protocol, improvements in monitoring systems to detect intrusions, and the use of firewalls, encryption, and access control) play a critical function in securing systems. Cyber-incident statistics need to improve. The insurance industry is currently confronted by a dearth of cyber-incident data and insurers have been obligated to price cyber-incident coverage without being able to completely quantify risks. Because of the under-reporting of cyber-incident attacks (businesses are reluctant to report incidents for fear of economic losses), historical data on which to base cyber insurance premiums are limited. After only a few years of experience with cyber-incident insurance coverage, it is clear that a sizeable market for the product has yet to emerge. Initial pricing for the coverage is material, and reinsurers continue to exclude it from their policies. Large amounts of new capital are not currently available to property-casualty insurers to fund cyberincident risks. While the inability of insurers to fully fund such high-severity events may cause businesses to question the value of cyber-incident risk coverage, given time, awareness, and the prospect of additional cyber-incident attacks, more businesses are expected to seek insurance coverage. April 2004 Institute for Catastrophic Loss Reduction Page vi

10 1.0 Introduction In 2003, the Institute for Catastrophic Loss Reduction began a study to research the insurance industry and its role in cyber-risk transfer and loss prevention. The work was carried out in two Phases: Phase I Case Study Review. A literature review and data collection exercise was undertaken to examine cyber-incident risk in Canada and to describe the insurance environment of, and coverage for, these threats. Phase II Consultation with Industry Stakeholders. A cross-section of insurance and reinsurance companies, and e-business solution providers were selected for consultation and a series of one-on-one interviews were concluded with senior officials from these firms. This Final Report brings together the salient features of the Phase I and Phase II work in a single document. In broad terms, this Final Report: defines, details, and estimates cyber-incident risk costs and losses in Canada; discusses business vulnerability to cyber-incident risk and provides references to the global experience with the cyber-incident threat; examines the role of the insurance industry (including basic principles of insurance in providing standard policy coverage) in providing protection against cyber-incident risk; and discusses risk mitigation techniques to reduce the risk of cyber-incident events. This Final Report is organized as follows: Chapter I Introduction provides the background to this paper. Chapter II What is Cyber-Incident Risk and How Much is it Costing Businesses? provides a definition of cyber-incident risk and some measures of cyber-incident losses. Chapter III Vulnerability to Cyber-Incident Risk explores business vulnerability to cyber-incident risk as sources of revenue shift from tangible to intangible assets. Chapter IV The Role of Insurance describes the role of insurance companies in providing standard insurance coverage and the impact this has on cyber insurance, including the case of Y2K, and the legal decisions that flowed from a U.S. court case April 2004 Institute for Catastrophic Loss Reduction Page 1

11 that examined whether specific cyber-incident coverage was provided by standard insurance policies. Chapter V Loss Prevention and Mitigation details a loss prevention and mitigation approach for dealing with cyber-incident risk. Chapter VI Conclusion summarizes the current thinking surrounding cyberincident risk and the role of insurance. Chapter VII References/Bibliography provides details of the information sources used in this paper. Appendix A Interviewees provides a list of the insurance, reinsurance, and e- business solution providers interviewed. Appendix B Insurer Interview Questions provides the interview questions that were asked of the insurance and reinsurance industry stakeholders. Appendix C E-Business Solution Provider Interview Questions provides the interview questions that were asked of the e-business solution providers. The paper describes the costs and vulnerabilities associated with cyber-incident risk and the ability of insurance to provide coverage for these risks. This paper does not set out to provide a comprehensive list of companies that provide cyber insurance products, nor does it seek to provide a detailed explanation of what their current coverage includes. April 2004 Institute for Catastrophic Loss Reduction Page 2

12 2.0 What is Cyber-Incident Risk and How Much is it Costing Businesses? An investigation of the cyber-incident literature reveals that the subject is relatively new and that few definitions exist. Statistics Canada defines the term cyber-incident as a criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence (Kowalski, 2002). Both the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) view cyber issues as including fraud, theft of proprietary information, distribution of viruses, wiretapping, unauthorized insider access and abuse, denial of service, telecom eavesdropping, sabotage, and system penetration. To manage the scope of this paper, to bring clarity to the discussion, and to provide a framework for cyber-incident, this paper deals solely with risks associated with computer technology and the Internet, which includes hacking or unauthorized use of computer systems, denial of service issues, theft of proprietary information, and the distribution of viruses. It is not the intent of this paper to look at specific crimes conducted over the Internet (e.g., the misuse of telecom information or money laundering schemes). Although the field of cyber-incident research is broad, there are few data available pertaining to the use of insurance as part of corporate cyber-incident risk management practices. There are, for example, no reliable data available regarding the actual costs of these losses (as recognized by individual companies) or of the number of cyber-incidents that actually occur. Most of the available information relates to the issue of computer viruses, as does the literature reflecting the large number of businesses that are affected adversely by these attacks. Still, some data do exist to illuminate elements of the cyberincident issue. These data are discussed below. In 2003, the CSI and the FBI conducted a Computer Crime and Security Survey. Survey respondents included computer security practitioners, government agencies, financial and medical institutions, and universities throughout the United States. According to the survey, 92 percent of respondents reported attacks on their computer systems during By comparison, the same survey reported that 70 percent of companies suffered computer attacks in 2000, and 42 percent reported attacks in 1996 (Computer Security Institute, 2003). These data show how rapidly cyber-incident risk is growing. The annual cost of major virus attack losses has increased sharply since the mid-1990s (see Table 2.1). As shown in Table 2.1, the financial impact of viruses worldwide was almost $18 billion in Based on global losses of this magnitude, the Institute for Catastrophic Loss Reduction estimates that computer viruses cost Canada between $1 billion and $2 billion in April 2004 Institute for Catastrophic Loss Reduction Page 3

13 Table 2.1 Year Annual Global Financial Impact of Major Virus Attacks ($CDN) Worldwide Economic Impact 2003 $17.5 billion 2001 $20.4 billion 1999 $18.0 billion 1997 $4.6 billion 1995 $0.7 billion Source: ICLR, based on data from Computer Economics, Notes: Figures include (1) the labour cost associated with analyzing, repairing, and cleansing of operating systems, applications, databases, networks, and machines; (2) the procurement cost of tools (hardware and software) required to assist technicians in performing the tasks listed above; (3) the expenses associated with hiring consultants or contract personnel to assist in any of the tasks listed above; and (4) the potential and direct loss of revenues due to a denial of service or a significant slowdown of services that are offered via the Internet or other network or computer channels that may have been impacted. In the context of cyber incidents, greater reliance on computer systems is having negative impacts on business organizations. Companies are creating systems that are becoming more difficult to penetrate, but the next generation of computer hackers and terrorists will be products of the digital world with even more tools of destruction at their disposal (Denning, 2000). In 2002, 90 percent of U.S. businesses reported unauthorized system access (Insurance Information Institute, 2003). In a recent U.S. survey, 80 percent of respondents acknowledged economic losses as a result of cyber incidents (Computer Security Institute, 2003). These figures continue to rise, although the majority of respondents cannot identify precisely the financial costs of cyber incidents. According to the International Data Corporation (IDC), a global market advisory firm in the information technology and telecommunications industries, system security has become a priority among chief executives. As a result, spending on security-related software is the fastest growing area of information technology (IDC, 2003). The increasing costs associated with cyber incidents are restrictive to companies that rely on computer and network systems to conduct business. Cyber-incident risks and related costs are usually too large for an individual company to manage without help. While many companies use firewalls, encryption, and anti-virus software, they are still at risk. The enormity of potential revenue loss by industry, coupled with the increase in major virus attacks, makes it difficult to determine how to protect businesses against these risks. Ernst & Young s 2003 Global Information Security Survey describes cyber-incident risk costs as harmful to companies that rely on the Internet and network systems to conduct their business. The Ernst & Young survey also comments on research conducted by Computer Economics Inc. that estimates that hackers, worms, and other high-tech interference caused $11.1 billion in damages in 2002, more than a twenty-fold increase from 1995 (Ernst & Young, 2003). The survey also noted a change in the factors that April 2004 Institute for Catastrophic Loss Reduction Page 4

14 inhibited information security. In 2002, the speed of change and increasing sophistication of threats were the leading factors inhibiting effective information security. In 2003, a shortage of available funds rose to the top of the list. The survey also noted that slightly more than half (52 percent) of the participants had experienced an unscheduled or unexpected outage of a critical business system, and 22 percent of these outages were attributed to major viruses or worms (Ernst & Young, 2003). April 2004 Institute for Catastrophic Loss Reduction Page 5

15 3.0 Vulnerability to Cyber-Incident Risk Many organizations depend on computers and network systems to conduct their daily business. These systems have allowed companies to become more efficient and to reach a wider client market for their products and services. While there are enormous benefits to conducting business over network systems, there are also associated costs that are incurred due to increased corporate vulnerability to cyber-incident risks. As a business tool, the use of a network for complex data transactions and proprietary computer data storage methods can have a dramatic effect on the management of a company. Nowadays, a company s decision to undertake these activities is no longer just an IT issue: risk management techniques are required to protect the security of information. For example, cyber incidents impinge on the privacy of personal information, which is now protected in Canada by the Information Protection and Electronic Document Act (this legislation is discussed later in this paper), and this presents a new challenge for Canadian businesses. As revenue generation shifts from tangible to intangible assets, companies are faced with an expanding number of intangible exposures, and as much as 80% of the market value of public companies come from intangible assets (Wleugel, Dowdall and Grange, 2003). While network, Internet, and e-commerce activities are a source of cyber-incident risk for business, at this point in time, there are no reliable prevailing practices to quantify these risks and few historical data exist to place them in perspective. Specific cyber-incident risks include viruses, Trojan horses, unauthorized access, proprietary data theft, business interruption, and denial of service attacks. These events can affect many aspects of a company, including reputation and physical, informational, and systemic assets. The testimony of Richard Pethia of the CERT Coordination Center (CERT/CC) before the House Select Committee on Homeland Security in June 2003 relays how vulnerable network systems are to cyber-incidents. His testimony also provides a convenient means to measure the increase in cyber-incident vulnerability. In his testimony, Mr. Pethia stated that CERT/CC receives reports of new sources of vulnerabilities. These vulnerabilities represent a weakness in a product that can be exploited in some way to help an attacker compromise a system (Pethia, 2003). In 1995, CERT/CC received 140 reports of new sources of vulnerabilities and by 2002, the number of annual reports received grew to more than 4,000. CERT/CC believes that technology is evolving so rapidly that software vendors are concentrating on the mass distribution of their products to market, and minimizing the time devoted to creating security features (Pethia, 2003). A better understanding of these issues should convince companies of the need for protection from cyber-incident attacks. The world is relying increasingly on technology to provide high-quality customer service, and, as a consequence, it has become more exposed to the threat of cyber-incidents. Canada s critical infrastructure, for example, is heavily reliant on computers, and is a prime target for hackers and other cyber criminals. Infrastructure such as power grids, transit systems, and air-traffic control are a few of the areas that are vulnerable to cyberincident risk. One example that highlights the complexity and interdependency of April 2004 Institute for Catastrophic Loss Reduction Page 6

16 Canada s infrastructure is described by PSEPC: in 1999, an employee dropped a wrench at a telecommunications switching station in Toronto, and this one incident disrupted electronic banking systems from British Columbia to Nova Scotia, resulting in the interruption of trading on the Toronto Stock Exchange. This single cyber-incident resulted in a financial loss of over $1 billion to Canadian businesses and the federal government (Purdy, 2001). A. Types of Cyber-Incident Risk There are a number of significant cyber-incident risks that affect companies. As shown in Chart 3.1, a recent survey showed that three categories of cyber-incident risk virus, denial of service, and theft of proprietary information accounted for 81 percent of cyber-incident losses in the United States in 2002 (Computer Security Institute, 2003). When survey participants were asked whether they had insurance coverage for these types of losses, 33 percent said they believed that cyber-incident risks were covered by their general policies, while 34 percent said they did not have insurance (Computer Security Institute, 2003). Chart 3.1 Losses by Type of Cyber-Incident Risk, United States, % 30% 20% 10% 0% Virus Denial of Service Theft of P.I. Other Source: CSI/FBI 2003 Computer Crime & Security Survey, Along with greater reliance on technology has come greater vulnerability to network disruptions, security breaches, computer viruses, information theft, and a host of other liabilities and direct losses. In most cases, the exposures caused by these events fall outside the realm of traditional insurance policies, creating serious coverage gaps for companies looking to safeguard their systems and intangible assets, such as databases housed on these systems. Since no system is completely impenetrable and few companies have purchased coverage for cyber-incident risks, it is important to consider what role the insurance industry should play in helping minimize cyber-incident impacts. This issue is discussed in the next section of this paper. April 2004 Institute for Catastrophic Loss Reduction Page 7

17 4.0 The Role of Insurance As companies become more vulnerable to cyber-incident risks, they are looking increasingly to the insurance industry to offer coverage for these events. In this context, it is important that the role of insurance be understood. The Insurance Bureau of Canada (IBC) defines insurance as follows: General insurance (property and casualty, or "P&C" insurance) is a promise to pay (reimburse) should certain things go wrong. Insurance replaces uncertainty with a degree of certainty, providing financial peace of mind in a world filled with risk. The basic principle of general (non-life) insurance is that the fees or "premiums" (and often the investment income derived from those premiums) of all participants or "policyholders" pay for the losses of an unfortunate few. It's a way of sharing financial risk. (IBC, 2003) Many corporations use insurance as a means to transfer risk. Insurance transfers individual risk to a pooled group, where the risk is absorbed by a larger market. Before examining the role the insurance industry has to play in providing cyber insurance policies and cyber-incident coverage, standard insurance policy coverage must first be understood. This is discussed below. A. Standard Insurance Coverage Insurance companies provide coverage for many types of risk. The standard market product for protecting businesses against the risk of accidents is Commercial General Liability (CGL) insurance. When this type of coverage was created, the Internet did not exist and other cyber-incident risks were not widespread (the concept of cyber-incident risk was relatively unknown and the majority of businesses dealt with tangible assets); consequently, their associated risk exposures were not addressed in policies. While businesses are currently looking to the insurance industry to provide services to diminish their direct cyber-incident risks, it must be recognized that this protection does not exist within their existing CGL insurance policies. Standard insurance coverage was designed to protect tangible assets. Standard forms of insurance primarily cover bodily injury and tangible property loss, and they do not cover the legal liabilities arising from the transmission of a computer virus or computer theft of customer information (Assurex International, 2000). While uncertainty has existed in the past concerning what cyber-incident risks are covered under traditional business insurance policies, current CGL policies make it clear, with specific exclusions, that they do not cover intangible property such as electronic data and business interruption. For a risk to qualify as insurable, it must meet three key underwriting requirements (IBC, 1999): 1. A relatively large population is exposed to a risk. This condition must be met because it ensures that the insurance companies have a large enough group for risk transference. April 2004 Institute for Catastrophic Loss Reduction Page 8

18 2. A small share of the exposed population is likely to incur a loss at any particular time. In order for insurance companies to deal with an event, it is essential that the risks they underwrite will not impact all of their companies at once, or they would not have the capacity to cover all of their losses. 3. There is a random occurrence of losses. These three insurability requirements are significant. Most of the insurance companies senior officials who were interviewed for this paper made reference to cyber-incident exclusions based on these criteria. The significance of these three insurability requirements can be illustrated with a number of cases. Below, Case 1 Y2K and the Role of Insurance considers the Y2K issue, which brought much attention to insurance coverage in the late 1990s and was the first major cyber-incident risk to command the attention of the public and the insurance industry. Y2K was not considered to be an insurable peril. It highlighted the limited coverage insurers provide for the risks of computer failure. Case 1. Y2K and the Role of Insurance The Y2K computer problem received worldwide attention in the late 1990s. The Y2K problem flowed from the fact that computers were not initially programmed to deal with the rollover in time from 1999 to To ensure that computers would continue to function in the year 2000, companies needed to update their programming to accommodate this change. It was widely believed that the computer technologies on which the world relied for critical services could fail at midnight on New Year s Eve 1999/2000. The insurance industry was very active describing their role in relation to Y2K losses. Three key underwriting requirements were put forward to qualify for coverage (IBC, 1999): a relatively large population is exposed to a risk; a relatively small share of the exposed population is likely to incur a loss at any particular time; and a random occurrence of losses. In the case of Y2K, these requirements were not met and, as a result, standard insurance policies did not address this risk. In the case of Y2K, equipment failures were not insured losses, although some indirect losses would have been covered. Throughout the build-up to Y2K, insurance companies stressed the importance of managing risk by anticipating and mitigating possible failures. Because Y2K was both foreseen and predicted, businesses had time to take the necessary precautions to prevent adverse impacts. In the circumstance of Y2K, it was demonstrated that cyber-incident risks related to the event did not qualify for standard insurance coverage because they did not meet all three key underwriting principles. As a cyber-incident risk, Y2K exposed a relatively large population, but a large (rather than small) share of that population was liable to incur a loss at any time, and the losses anticipated generally would not be random occurrences. April 2004 Institute for Catastrophic Loss Reduction Page 9

19 During our consultations with industry stakeholders, many insurance and reinsurance executives viewed cyber-incident risks as catastrophic events that are not insurable under standard insurance policies. One of the reinsurance company interviewees made reference to the three key underwriting principles and described the problems that arise when insuring for a catastrophic risk. This interviewee stated that a catastrophic risk occurs when there is a high probability that many businesses will experience a loss or be damaged at the same time. Cyber-incident risks are not covered under standard insurance policies. Nevertheless, there are a few insurance companies willing to underwrite risks related to cyberincidents. Interviewees often contrasted cyber-incident risk with automobile insurance. One insurer interviewee stated that their company has a large enough market to spread the risk of automobile insurance because few accidents happen in relation to the large number of people who are insured and each event is a random occurrence. This insurer explained that they do not provide cyber insurance coverage because this risk does not meet with the same insurability requirements as does automobile insurance coverage. Interviewees also noted that, while actuarial data exist to estimate (with a high degree of reliability) potential losses for automobiles, there are so many unknowns associated with cyber-incidents that the examination of several years of historical data would be required before an estimation of potential losses could be undertaken with any degree of accuracy. Several claims have been filed in recent years related to cyber-incident losses in the United States. These cases have gone to the courts to determine whether standard insurance policies cover losses from cyber-incident risks. At issue is the assertion of insurers and reinsurers that a loss caused by network or computer problems is not covered under a type of physical loss of damage to businesses. Case 2 AOL v. St. Paul Insurance supports this opinion (see below). Case 2. AOL v. St. Paul One way to establish whether specific cyber-incident coverage is provided by standard insurance policies is to consider how the courts are dealing with the issue. A recent case that addressed this issue in the United States was AOL v. St. Paul. In this case, a trial court ruled that damage to computer data did not constitute property damage under a Commercial General Liability (CGL) insurance policy, concluding that data were not tangible property. The same court also ruled that loss of use of a computer (indisputably, tangible property ) on which data reside, and under the particular facts of AOL v. St. Paul, was not covered because of the impaired property exclusion. Rossi concluded that, faced with this type of uncertainty in standard insurance coverage, companies will purchase stand-alone polices for greater peace of mind. As early as 2000, reinsurers were limiting coverage from losses arising from cyber and network risks. In 2001, revisions to the CGL policy form clarified the definition of property damage, stating that electronic data is not tangible property. This revision illustrates a key coverage limit that currently exists in standard insurance policies. Source: Rossi, April 2004 Institute for Catastrophic Loss Reduction Page 10

20 Without reinsurance coverage for these types of losses, insurers have increased the use of exclusionary wording in insurance policies dealing with cyber-incident coverage. For example, the Insurance Bureau of Canada has produced an Advisory Model Wording to describe current coverage related to the Commercial Building, Equipment and Stock Broad Form. Section 6 (D) of that document states that: This form does not insure against loss or damage caused directly or indirectly by the failure of any: a. electronic data processing equipment, or other equipment, including micro-chips embedded therein; b. computer program; c. software; d. media; e. data; f. memory storage system; g. memory storage device; h. real time clock; i. date calculator; or j. any other related component, system, process or device, to correctly read, recognize, interpret or process any encoded, abbreviated or encrypted date, time or combined date/time data or data field. Such failure shall include any error in original or modified data entry or programming. With this exclusion in standard insurance coverage, businesses need to purchase specific policies that provide coverage for cyber-incident risks. That is, while cyber-incident risks do not qualify for traditional insurance coverage, there are other ways for these events to be insured. Typically, when a new loss exposure arises, a number of brokers and insurers will respond to the challenge by creating products to fund these potential new losses. Considering the barriers to coverage of cyber-incident risks by standard insurance policies, the market has been left to individual insurance companies to develop specialized cyber insurance products. This is discussed in the sections below. B. Cyber Insurance A useful definition for cyber insurance was provided by Ty Sagalow (from American International Group (AIG) e-business Risk Solutions). He defines cyber insurance as a specialized policy that provides both insurance and risk management services against various types of cyber-incident risk (Sagalow, 2001). Insurance that covers cyber-incident risk has been in existence since the late 1990s. The major factor that led to greater business interest in cyber insurance was the realization after issues such as Y2K that these risks were largely not covered under basic insurance policies, at a time when corporate vulnerability to cyber incidents was growing. April 2004 Institute for Catastrophic Loss Reduction Page 11

21 Although some overlap does occur between cyber and standard insurance, damages incurred by denial of service, hacker attacks and cyber-incident risks are not typically covered in standard forms of insurance. The courts consistently uphold that data are not property and do not meet the direct physical loss requirement set out in standard insurance policies (IBC, 2003). An interview respondent expressed this sentiment as follows: data is intangible and the perils to data are viruses and hackers, not fire and flood, which are the standard hazards that insurance companies insure against. The primary concern in insuring against cyber-incident risks is to identify and protect intangible property. Underwriting cyber-incident risks is complex. Cyber insurance is an evolving field and current policies that exist to protect against cyber-incident risks will require continuing modifications to respond to the changing environment. Coverage for cyber-incident risks must take into account myriad factors such as the technology being used by an individual company and the risk that is involved. With a lack of historical data and a rapidly changing technological environment, businesses are providing services that were not even contemplated a few years ago. By writing policies for cyber-incident exposures, the insurance industry is providing (III, 2003): 1. Virtual risk transfer for network security exposures. 2. Incentives for network security best practices, including lower insurance premiums. 3. Improved cyber-risk management and education. To design policies to protect against cyber-incident risk, insurance companies must consider three key issues pricing, adverse selection, and moral hazard (Gordon, et. al., 2003). These three issues are discussed below. Pricing Traditionally, the pricing of insurance coverage is related directly to the calculation of risk. Insurance companies rely on actuarial tables (constructed from historical records) to determine proper pricing for cyber-incident coverage. If this approach were applied to cyber-incident risk, insurers would need to know how often cyber-incident events have occurred in the past and the likelihood of future occurrences. In the case of cyberincident coverage, there are no historical records so insurers are setting prices without being able to completely quantify risks. Because companies frequently do not report cyber-incident attacks, there are difficulties associated with historical data. Companies often do not report incidents when they occur because they believe consumer confidence will decrease with each cyber-incident occurrence. Consequently, the confidential nature of cyber incidents driven by corporate fears of losing existing and potential customers if these incidents were made public makes it difficult for insurance companies to collect data to project future losses. As a result of under-reporting, historical data on which to base cyber insurance April 2004 Institute for Catastrophic Loss Reduction Page 12

22 premiums are limited (Insurance Information Institute, 2003). From a Canadian perspective, Statistics Canada also reports that cyber-incident crime may be one of the most under-reported forms of criminal behaviour because businesses are reluctant to report incidents for fear of economic losses (Kowalski, 2002). Cyber-incident statistics need to improve. Case 3 Mafiaboy illustrates how financial losses can occur when cyber-incidents are reported (see below). Case 3. Mafiaboy An incident in 2000 demonstrated the extreme risks that cyber crimes pose to companies worldwide. This cyber-incident case was caused by an inexperienced 15-year old Montreal computer hacker who was responsible for 58 attacks and security breaches of Internet sites in Canada, the United States, Denmark, and Korea in February Known as Mafiaboy, he launched a denial-of-service attack that overloaded targeted websites with so much data that users were unable to gain access to these web addresses for several hours. Many companies were affected by Mafiaboy, including Yahoo!, ebay, Amazon, CNN, and the Microsoft network. The volume of Internet-related customers that these companies serve requires them to be Internet-accessible at all times to conduct their business. The denial-ofservice attack either disrupted Internet service or completely shut down each website for a time period of an hour to more than three hours. Companies accept a certain level of risk by relying primarily on the Internet for revenue. While many companies experience denial-of-service attacks, such strikes are often not reported to the police. They are referred to as glitches so as not to deter customers from using their services in the future because of concern over security issues. Mafiaboy s attacks on the Internet sites of Yahoo! and ebay resulted in a decrease in their stock values of between 17 and 23 percent in the weeks following the attacks. Market reactions such as this demonstrate why companies are reluctant to disclose cyber-incidents. While insurance companies have tried to quantify cyber-incident risk, it remains to be seen whether current premiums will prove to be adequate. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $14 million in annual revenue) to several hundred thousand dollars for major corporations seeking comprehensive coverage. McAfee Security states that cyber-related premiums range from $7,000 to $85,000 per $1.5 million worth of coverage, depending on the size and exposure of each company to online or electronic risk (McAfee Security, 2003). Brokers estimated that, in 2002, businesses purchased only $150 million to $300 million of this type of insurance, despite estimates of potential cyber-related losses in the billions of dollars (Kelly, 2003). April 2004 Institute for Catastrophic Loss Reduction Page 13